Certifications no substitute for technical acumen
Hot button information assurance issues spark strong opinions
Readers had strong opinions about the issues raised in the recent Defense Systems story “New threats compel DOD to rethink cyber strategy.” The comments for the most part addressed hot-button issues such as certifications and information assurance policies and procedures.
Of Defense Department Directive 8750, which mandates that military personnel, civilian employees and government contractors be certified as information assurance professionals, one commenter questioned if that initiative has been effective. “So much time and money is being spent to get your service men and civilians certificated that they are missing out on critical training needed to evolve with the enemy.” As a result of the requirement, “men and women are studying to pass tests to keep their jobs rather than applying analytical thinking to the defense of the country.”
Related story
New threats compel DOD to rethink cyber strategy
Another commenter said the emphasis on certifications misses the point entirely and that information assurance specialists should have to prove their knowledge and skills through a rigorous interview process.
“By relying on ‘wall paper’ you very likely prevent the hiring of technical folks that you are really looking for. Many of the certification classes that I have attended have been nothing more than slightly technical and used mainly as marking for companies ‘teaching’ the classes. Certifications should be talked about after the hiring process has been completed.”
The commenter related an anecdote about a private-sector financial institution that hired known hackers to guard its network and teach concepts to the rest of the IT staff. As a result, network breaches declined immediately, the commenter said.
Another commenter said the emphasis on certification misses the point. The commenter holds that some of those best qualified for the work are those that “shun certifications and would barely pass any standardized tests because they are not wired for traditional thought.”
“You want a solution, (then) you have to literally stop thinking inside your box and start thinking inside their box. Figure out a way to make these people comfortable to they can be available to work for you,” the commenter wrote.
A commenter who is a DOD information assurance specialist has observed multiple instances of lax enforcement of rules and policy over the years. That kind of mindset led to the 2008 malware attack, the commenter noted.
“Until we have users and leadership adopting IA controls, this will continue to happen.”
About the Author
William Welsh is the managing editor of Defense Systems. Follow him on Twitter: @WilliamWelsh12.